Previously, data warehouse security was tightly coupled to source system security (AIS, HRMS, etc.) and was controlled by source system owners. This meant that users could work in the data warehouse only with the same security that they had in the source system. To allow for expanded analytics, we decided to de-couple security from the source systems with a new approach – Role Based Access Control (RBAC) and Row Level Security (RLS), both of which are implemented within the data warehouse itself.
RBAC: Role Based Access Control
RBAC stands for “Role-based access control”. In this model, each role has its own set of permissions and each user is assigned to one or more roles as appropriate. Workday operates with the RBAC model as well.
The new RBAC roles in the data warehouse will allow users to run advanced analytics and to view dashboards that aggregate data from multiple applications, even if they do not have access to the source applications. For example, someone may not have an account in Research Management System (RMS), but if they were assigned a Research role in the data warehouse, they could view the number of proposals submitted in RMS when viewing data or reports in the data warehouse.
How do we expand security for analysis while still protecting confidential data?
In order to protect confidential data, we are employing additional layers of security called domain control and regulatory control.
When you log into Cognos, you will see only what is available for the domain you belong to. Cross-domain reporting is only possible for those with roles that grant access to more than one domain.
Certain “slices” of data will be further secured with regulatory controls. Some examples of these might be FMLA, HIPAA, and student grades. Data Governance will make the final decisions as to what gets placed under regulatory control.
RLS: Row Level Security
RLS can be viewed as an additional security layer on top of RBAC, which restricts users to be able to see only a certain “slice” of a sensitive dataset.
Compensation data in the data warehouse has been classified by the Office of Data Governance as sensitive, and access to the Compensation data for reporting/analytics is to be restricted at the data consumers’ own school level. Access is granted by request only.
Access to Compensation data is requested using the School Compensation access request form. Approval from the appropriate department supervisor and data administrator for this domain is required. The domain approver for compensation data is HR Data Administrator – Legail Chandler. Once completed, the signed form should be submitted to the Data Management service team, which will then grant the appropriate access.